box10.gif (1299 bytes)







Security & privacy

Health records of 83,000 lost in Ontario

OSHAWA, Ont. – Ontario’s privacy commissioner has launched an investigation after a USB drive containing the personal health information of more than 83,000 people, who went to flu clinics in Durham Region just northeast of Toronto, went missing.

The USB key contained the personal information of persons who attended a Durham Region Health Department flu vaccination clinic for either an H1N1 or seasonal flu shot between Oct. 23 and Dec. 15.

Commission spokesman Bob Spence said the probe will try to determine what happened and what steps might be taken to prevent a similar incident from occurring.

A health department nurse was taking a USB key containing the records to her car in Whitby, Ont., for use at a remote clinic site on Dec. 15 when the device was lost. A search failed to turn it up.

“We believe it was lost on regional property. We have some video surveillance tape to indicate that was the case,” said Dr. Robert Kyle, chief medical officer of health for Durham Region.

Kyle said the USB key disappeared on Durham Region headquarters property and includes the names, addresses, phone numbers, dates of birth, health card numbers and the names of primary physicians for 83,524 people who visited flu clinics for a seasonal or H1N1 shot between Oct. 23 - Dec. 15.

The missing device also included health information such as a patient’s allergies and chronic medical conditions but that information would not be discernable, he said.

“We have absolutely no evidence nor any belief that it was deliberately stolen,” Dr. Kyle said, adding surveillance video shows the USB being placed on a rock on the property after it was lost by the nurse. “The only conclusion we can reach is it was out there in the open, somebody saw it, they picked it up and carried it away.”

University of Ottawa professor Khaled El Emam, an expert in eHealth privacy, said the data loss doesn’t bode well for the public’s perception of how their personal information is being secured.

“You can never prevent human error,” El Emam said. “However, you can put in place mechanisms, policies and procedures to minimize the probability of it happening.

“If you are going to hold data on a USB stick you definitely want to have that encrypted,” he said.

In 2007, Ontario Privacy Commissioner Ann Cavoukian ordered Toronto’s Hospital for Sick Children to encrypt any personal data taken out of the hospital on a laptop or other mobile computing device.

The order came after a laptop containing the personal health information of 2,900 patients was stolen from the car of a researcher.

At the time, the commissioner provided guidelines to all healthcare professionals working with patient information, saying, “at a minimum, files or folders containing personal health information must be encrypted,” if they are stored on mobile devices in an identifiable form.

“There is no excuse for unauthorized access to personal health information (PHI) due to the theft or loss of a mobile computing device - any PHI contained therein must be encrypted,” Cavoukian said in her 2007 order.

Health officials in Durham have apologized for the security lapse and said a notification letter will be sent to anyone who attended the flu clinics.

Posted Jan. 28, 2010